LinkedIn SSL Leaves Accounts Vulnerable to Hijacking

A security researcher has identified two vulnerabilities on the business-oriented social network LinkedIn that leave member accounts open to takeover by attackers.

"There exists multiple vulnerabilities in LinkedIn in which it handles the cookies and transmits them over SSL. This vulnerability if exploited, can result in hijacking of user accounts, and/or modifying the user information without the consent of the profile owner,"writes Rishi Narang, the researcher who identified the vulnerabilities.

Narang identified the first vulnerability as being the presence of an "SSL cookie without [a] secure flag set," leaving a user's web browser cookies exposed and their account susceptible to hijacking.

"An attacker may be able to perform an man in the middle (MITM attack), and thus capture these cookies from an established LinkedIn session, Narang wrote.

The problem is rooted in the fact that LinkedIn transmits the cookies in plain text and in an unencrypted form.

"Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form https://www.linkedin.com to perform the same attack," Narang continued.

The second vulnerability relates to "cookie expiration and session handling," where "the cookie for an authenticated session is available even after the session has been terminated or way beyond the date of expiry (instead compared to session logout, it is valid for 1 year). There are examples where cookies are accessible to hijack authenticated sessions. And these cookies are months old..."

The availability of an authentication session cookie in an unencrypted form would allow an attacker to gain full access to a user's account, presenting the opportunity to modify information and setting, as well as exposing the user's network contacts to phishing and social engineering exploits.

"In just 15 minutes, I was successfully able to access multiple active accounts that belong to individuals from different global locations. They would have login/logged out many a times in these months but their cookie was still valid," Narang explains.

A representative for LinkedIn issued a statement regarding security on the professional network, but did not specifically address the vulnerabilities identified by Narang.

"LinkedIn takes the privacy and security of our members seriously so, among other security measures, we currently support SSL for logins and other sensitive web pages. In addition, we seek to improve our site's security and are, for instance, evaluating opt-in SSL support for other parts of the site and expect those to be available in the coming months. Using SSL effectively scrambles cookies sent between servers and users’ computers,"the LinkedIn spokesperson stated.

Until LinkedIn addresses the problem, the only option concerned account holders have would be to delete the account and open a new one with the same email address, thereby making the vulnerable authentication cookies invalid.

This is not the first issue LinkedIn has had this year concerning privacy and security problems with cookies. In March, a lawsuit was filed in the U.S. District Court for the Northern District of California by LinkedIn member Kevin Low alleging that the social network is violating user privacy.

The crux of the lawsuit is centered around personally identifiable information provided to third party advertisers and has implications for behavioral advertising data collection techniques.

Specifically, referrer headers sent to the third parties contain a unique identifier that is associated with a cookie issued by LinkedIn. The suit maintains that this practice reveals sensitive information regarding the referring member's browsing habits and history.

"Anyone who has used the Internet to discreetly seek advice about hemorrhoids, sexually transmitted diseases, abortion, drug and/or alcohol rehabilitation, mental health, dementia, etc., can be reasonably certain that these sensitive inquiries have been captured in the browsing history and incorporated into a personalized profile which will be packaged for sale to marketers," the lawsuit contends.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.